Posts Tagged ‘default user’

How to make sure your Linux system users won’t hide or delete their .bash_history / Securing .bash_history file – Protect Linux system users shell history

Monday, July 19th, 2010

Reading Time: 4minutes

If you're running multi user login Linux system, you have probably realized that there are some clever users that prefer to prevent their command line executed commands to be logged in .bash_history.
To achieve that they use a number of generally known methodologist to prevent the Linux system from logging into their $HOME/.bash_history file (of course if running bash as a default user shell).
This though nice for the user is a real nightmare for the sysadmin, since he couldn't keep track of all system command events executed by users. For instance sometimes an unprivilegd user might be responsible for executing a malicious code which crashes or breaks your server.
This is especially unpleasent, because you will find your system crashed and if it's not some of the system services that causes the issue you won’t even be able to identify which of all the users is the malicious user account and respectively the code excecuted which fail the system to the ground.
In this post I will try to tell you a basic ways that some malevolent users might use to hide their bash history from the system administrator.
I will also discuss a few possible ways to assure your users .bash_history keeps intact and possibly the commands executed by your users gets logged in in their.
The most basic way that even an unexperienced shell user will apply if he wants to prevent his .bash_history from sys admins review would be of directly wiping out the .bash_history file from his login account or alternatively emptying it with commands like:

malicious-user@server:~$ rm -f. bash_history
ormalicious-user@server:~# cat /dev/null > ~/.bash_history

In order to prevent this type of attack against cleaning the .bash_history you can use the chattr command.
To counter attack this type of history tossing method you can set your malicious-user .bash_history’s file the (append only flag) with chattr like so:

root@server:~# cd /home/malicious-user/
root@server:~# chattr +a .bash_history

It’s also recommended that the immunable flag is placed to the file ~/.profile in user home

root@server:~# chattr +i ~/.profile

It would be probably also nice to take a look at all chattr command attributes since the command is like swiss army knife for the Linux admin:
Here is all available flags that can be passed to chattr
append only (a)
compressed (c)
don~@~Yt update atime (A)
synchronous directory updates (D)
synchronous updates (S)
data journalling (j)
no dump (d)
top of directory hierarchy (T)
no tail-merging (t)
secure deletion (s)
undeletable (u)
immutable (i)

It’s also nice that setting the “append only” flag in to the user .bash_history file prevents the user to link the .bash_history file to /dev/null like so:

malicious-user@server:~$ ln -sf /dev/null ~/.bash_history
ln: cannot remove `.bash_history': Operation not permitted

malicious-user@server:~$ echo > .bash_history
bash: .bash_history: Operation not permitted

However this will just make your .bash_history append only, so the user trying to execute cat /dev/null > .bash_history won’t be able to truncate the content of .bash_history.

Unfortunately he will yet be able to delete the file with rm so this type of securing your .bash_history file from being overwritten is does not completely guarantee you that user commands will get logged.
Also in order to prevent user to play tricks and escape the .bash_history logging by changing the default bash shell variables for HISTFILE an d HISTFILESIZE, exporting them either to a different file location or a null file size.
You have to put the following bash variables to be loaded in /etc/bash.bashrc or in /etc/profile
# #Prevent unset of histfile, /etc/profile
# Don't let the users enter commands that are ignored# in the history file
readonly HISTFILE
readonly HISTSIZE

everytime a user logs in to your Linux system the bash commands above will be set.
The above tip is directly taken from Securing debian howto which by the way is quite an interesting and nice reading for system administrators 🙂

If you want to apply an append only attribute to all user .bash_history to all your existing Linux server system users assuming the default users directory is /home in bash you can execute the following 1 liner shell code:

#Set .bash_history as attr +a
2. find /home/ -maxdepth 3|grep -i bash_history|while read line; do chattr +a "$line"; done

Though the above steps will stop some of the users to voluntary clean their .bash_history history files it won’t a 100% guaranttee that a good cracker won’t be able to come up with a way to get around the imposed .bash_history security measures.

One possible way to get around the user command history prevention restrictions for a user is to simply using another shell from the ones available on the system:
Here is an example:

malicious-user:~$ /bin/csh

csh shell logs by default to the file .history

Also as far as I know it should be possible for a user to simply delete the .bash_history file overwritting all the .bash_history keep up attempts up-shown.
If you need a complete statistics about accounting you’d better take a look at The GNU Accounting Utilities

In Debian the GNU Accounting Utilities are available as a package called acct, so installation of acct on Debian is as simple as:

debian:~# apt-get install acct

I won’t get into much details about acct and would probably take a look at it in my future posts.
For complete .bash_history delete prevention maybe the best practice is to useg grsecurity (grsec)

Hopefully this article is gonna be a step further in tightening up your Server or Desktop Linux based system security and will also give you some insight on .bash_history files 🙂 .

Alternative way to enter as administrator in MySQL if you forgot MySQL root password on Debian Linux

Wednesday, July 10th, 2013

Reading Time: 2minutes

Forgot MySQL password root alternative way to enter as administrator in MyQL MySQL logo with 2 dolphins

Whether you have to administrate a bunch of chaotic organized MySQL servers and amount of work is more than you can bear it is very common you make stupid mistakes, like loosing MySQL root adminsitrator password. There is way to recover password by stopping SQL server and starting it with –skip-grant-tables options via SSH , however if you do it that way there is at least few seconds of down time and as its not a good idea on productive servers Debian and Ubuntu Linux admins have better way to do it by using MySQL default user used to check whether all is fine with database on MySQL server initialization via /etc/init.d/mysql. User with GRANT PRIVILEGES, (all MySQL administrator users have grant privileges) on Debian based distributions is debian-sys-maint and whether you have root access to server you can easily obtain password with:

# grep -i -E 'user|pass' /etc/mysql/debian.cnf |uniq

user = debian-sys-maint

password = k6x6tBUBfHN3ZxHv

Using this password then you can login via mysql cli or via PhpMyAdmin, whether installed and do any normal SQL operation you do as root. Of course having this password in plain text file can be very dangerous, by default it is configured to be only red by root be careful not to change this permissions by default as anyone who has access to system can then access your SQL as administrator.
To reset MySQL root password once logged in run:

UPDATE USER set password=PASSWORD('NEW_PASS_WORD') where USER='root';

Enjoy 😉

How to change mail sent from in Nagios on Debian GNU/Linux 6

Wednesday, August 24th, 2011

Reading Time: < 1minute
I’ve been playing with configuring a new nagios running on a Linux host which’s aim is to monitor few Windows servers.
The Linux host’s exim is configured to act as relay host to another SMTP server, so all email ending up in the Linux localhost on port 25 is forwarded to the remote SMTP.

The remote smtp only allows the Linux to send email only in case if a real existing is passed it, otherwise it rejects mail and does not sent properly the email.
As the newly configured Nagios installatio is supposed to do e-mail notification, I was looking for a way to change the default user with which Nagios sends mails, which is inherited directly after the username with which /usr/sbin/nagios3 and /usr/sbin/nrpe are running (on Debian this is

Thanksfully, there is a work around, I’ve red some forum threads explaning that the username with whch nagios sends mail can be easily changed from /etc/nagios3/commands.cfg by passing the -a “From:” to all occurance of /usr/bin/mail -s , its preferrable that the -a is inserted before the -s “” subject option. Hence the occurance of mail command should be changed from:

| /usr/bin/mail -s "** $NOTIFICATIONTYPE$


| /usr/bin/mail -a "From:" -s "** $NOTIFICATIONTYPE$

Now to read it’s new configurations nagios requirs restart:

debian:~# /etc/init.d/nagios3 restart

Now in case of failed services or Hosts Down nagios will send it’s mail from the custom user and nagios can can send mail properly via the remote relay SMTP host 😉